b'  OFFICE OF INSPECTOR GENERAL\n\n                 Audit Report\n\nAudit of the General and Application Controls in the\n Financial Management Major Application System\n\n                 Report No. 09-05\n                September 30, 2009\n\n\n\n\n   RAILROAD RETIREMENT BOARD\n\x0c                                       TABLE OF CONTENTS\n\n\nIntroduction\n Background ................................................................................................................. 1\n Objective...................................................................................................................... 2\n Scope .......................................................................................................................... 2\n Methodology ................................................................................................................ 3\n\nResults of Evaluation\n Segregation of Duties for Accounts Receivable Transactions is Not Enforced............ 5\n Access Control over Dataset Rules Needs to be Improved ......................................... 6\n Access Controls that Enforce Least Privilege Need Improvement............................... 8\n    Inconsistent Methodology Used ............................................................................................8\n    Inaccurate Base-Line Information Provided ..........................................................................9\n    Reauthorization Responses Not Implemented......................................................................9\n    Other Access Issues Noted for RUCS ..................................................................................9\n Field Service Access Profile Needs Updating............................................................ 11\n Controls over ACF2 Special Privileges Can be Improved.......................................... 12\n Contractor Account Management Can be Improved.................................................. 14\n Emergency Program Change Controls Can be Improved.......................................... 15\n Password Rules Are Inconsistent and Do Not Enforce Written Policy ....................... 16\n\nAppendices\n Appendix I Effectiveness of Controls over Access Provided to PAR ........................ 18\n Appendix II Effectiveness of Controls over Access Provided by ACF2..................... 19\n Appendix III Bureau of Fiscal Operations Management\'s Response ........................ 21\n Appendix IV Office of Programs Management\'s Response ...................................... 22\n Appendix V Bureau of Information Services Management\'s Response.................... 25\n\n\n\n\n                                                               i\n\x0c                                       INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of\ngeneral and application controls over the financial management major application\nsystem using the methodology contained in the Government Accountability Office\'s\n(GAO) Federal Information System Controls Audit Manual (FISCAM). 1\n\nBackground\n\nThe Railroad Retirement Board (RRB) administers the retirement/survivor and\nunemployment/sickness insurance benefit programs for railroad workers and their\nfamilies under the Railroad Retirement Act and the Railroad Unemployment Insurance\nAct. These programs provide income protection during old age and in the event of\ndisability, death, temporary unemployment or sickness. The RRB paid over\n$10.1 billion in benefits during fiscal year (FY) 2008.\n\nThe RRB\xe2\x80\x99s financial management major application includes two mainframe\ncomponents, the Federal Financial System (FFS) and the Program Accounts\nReceivable (PAR) system, which support budget formulation and execution, general\nledger accounting, accounts payable, cost accounting, payroll, and accounts receivable\nactivities. Access to the financial management major application is controlled by ACF2,\na commercial access control software product, with additional security at the transaction\nlevel provided by core security within FFS or PAR. The core security controls user\nactivities such as document preparation and table entries, and their associated\napprovals. On-line data entry from personal computers in headquarters and field offices\nallows for updates to FFS and PAR, with overnight batch update processing and\nreporting.\n\nThe Bureau of Fiscal Operations (BFO) is the owner-of-record for FFS, PAR and the\nAutomated System to Recover Overpayments (ASTRO), and has responsibility for\nsystem administration of FFS and PAR. The BFO system administrator maintains the\nsecurity settings within FFS and PAR, including the access privileges for new and\nexisting users.\n\nThe Office of Programs is the owner-of-record for the RRB\xe2\x80\x99s benefit payment systems,\nincluding the Railroad Unemployment Claims System (RUCS) and the Field Address\nSuspension Termination System (FAST). The Office of Programs includes the RRB\xe2\x80\x99s\nField Service Office organizational component.\n\nThe Bureau of Information Services (BIS) is the owner-of-record for the Payment, Rate\nand Entitlement History System (PREH) and the Employment Data Maintenance\nSystem (EDMA). Additionally, BIS has responsibility for the security administration of\nACF2, which controls access to all mainframe systems and provides the initial access\n\n\n1\n Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6 (January 1999), and revision\nGAO-09-232G (February 2009).\n\n                                                1\n\x0cgateway to FFS, PAR, RUCS, FAST, and ASTRO. BIS also maintains two separate\nsecurity systems that provide for the transaction level activities within RUCS and FAST.\n\nThe FISCAM provides a methodology for evaluating internal controls over the\nconfidentiality, integrity, and availability of data maintained in financial information\nsystems that support agency business operations. The FISCAM methodology aligns\nwith the internal control standards promulgated by the National Institute of Standards\nand Technology (NIST) in Special Publication (SP) 800-53, which makes it an ideal tool\nfor assessing agency progress in meeting requirements established by the Federal\nInformation Security Management Act of 2002 (FISMA). 2\n\nFISMA requires agencies to develop, document, and implement an agency-wide\ninformation security program. The OIG has the responsibility of evaluating the\ninformation security at the RRB. Information security means protecting information and\ninformation systems from unauthorized access, use, disclosure, disruption, modification\nor destruction in order to provide confidentiality, integrity and availability. Access\ncontrols limit or detect access to computer resources (data, programs, equipment, and\nfacilities), thereby protecting these resources against unauthorized modification, loss,\nand disclosure.\n\nThis audit was conducted pursuant to FISMA, which requires annual OIG security\nevaluations. This audit also supports the RRB\xe2\x80\x99s strategic goal of serving as responsible\nstewards of the agency\xe2\x80\x99s trust funds and financial resources, and its objective to ensure\nthe effectiveness, efficiency, and security of operations.\n\nObjective\n\nThe objective of this review was to determine the adequacy of the general and\napplication controls over the financial management major application system.\n\nScope\n\nThe scope of this evaluation was FY 2008 and included the financial management\nmajor application and the general support system environment in which it operates.\nDue to the impact of the benefit payment systems upon the financial management major\napplication, the access control and emergency program change portions of our general\nsupport system review included all component applications regardless of whether or not\nthey were specific components of the financial management major application.\n\nOur scope for the evaluation of software development was expanded to include projects\nas far back as FY 2005, the date when the last major modification of the financial\nmanagement major application took place. The scope for our evaluation of personnel\nsecurity included individuals hired by the RRB during calendar year 2007 in order to\n\n2\n Recommended Security Controls for Federal Information Systems, NIST SP-800-53 (December 2007);\nFederal Information Security Management Act of 2002, Title III of the E-Government Act of 2002,\nP.L. 107-347 (December 2002).\n\n                                               2\n\x0callow for the completion of the Office of Personnel Management background checks\nand references that were performed into FY 2008, following employment.\n\nMethodology\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2   reviewed pertinent laws and guidance;\n   \xe2\x80\xa2   obtained and reviewed documentation to support software development projects\n       from FY 2005 through FY 2007 that impacted the financial management major\n       application;\n   \xe2\x80\xa2   obtained and reviewed documentation to support all emergency program\n       changes that occurred in FY 2008;\n   \xe2\x80\xa2   compared the RRB\xe2\x80\x99s password policy with the settings within the mainframe and\n       LAN general support systems and Federal Desktop Core Configuration, and\n       performed validation testing of major password rules;\n   \xe2\x80\xa2   obtained and reviewed documentation to support background investigation and\n       reference checks for employees hired during calendar year 2007;\n   \xe2\x80\xa2   obtained job descriptions for several employees with access to sensitive areas or\n       the financial management application, and determined through interview whether\n       those job descriptions were reasonably accurate and current;\n   \xe2\x80\xa2   obtained and reviewed documentation to support authorized key-card access as\n       of November 15, 2007, to sensitive areas including the data center, and\n       determined whether the access was appropriate to job function;\n   \xe2\x80\xa2   obtained and reviewed procedures for the removal and return of electronic\n       media, and conducted independent tests to verify backup tape delivery to, and\n       receipt from, the Federal Records Center;\n   \xe2\x80\xa2   obtained and reviewed documentation to support disaster recovery testing of the\n       financial management major application performed at the RRB\xe2\x80\x99s offsite test\n       facility during FY 2008;\n   \xe2\x80\xa2   obtained and reviewed listings of all mainframe and LAN user account\n       identifications (IDs) as of January 30, 2008 and February 15, 2008, and verified\n       that each user was a current RRB employee or an authorized non-RRB user;\n   \xe2\x80\xa2   selected a statistical random sample of PAR application users with access\n       greater than read-only as of December 10, 2008, and obtained and reviewed\n       their individual access profiles to determine if their access was appropriate to job\n       function;\n   \xe2\x80\xa2   obtained and reviewed documentation to support access to FFS and PAR\n       dataset files as of February 8, 2008 (and February 13, 2008, to determine\n\n\n\n                                             3\n\x0c      \xe2\x80\xa2   selected a statistical random sample of mainframe application users as of\n          January 30, 2008, and obtained and reviewed their individual access profiles to\n          determine if their access was appropriate to job function;\n      \xe2\x80\xa2   obtained and reviewed documentation to support the periodic reauthorization of\n          mainframe application users performed in FY 2008, to confirm that all\n          applications had been considered, and to evaluate the effectiveness of the\n          reauthorization process;\n      \xe2\x80\xa2   obtained and reviewed the access profiles as of February 12, 2009 and job\n          descriptions for field service employees to determine if their access was\n          appropriate to job function;\n      \xe2\x80\xa2   obtained and reviewed documentation to support special privilege access\n          provided through ACF2 as of January 30, 2008, to determine whether the access\n          granted was appropriate to job function and periodically reauthorized; and\n      \xe2\x80\xa2   interviewed responsible agency management and staff.\n\nThe primary criteria for this evaluation included:\n\n      \xe2\x80\xa2   GAO\'s FISCAM;\n      \xe2\x80\xa2   FISMA;\n      \xe2\x80\xa2   NIST SP 800-53;\n      \xe2\x80\xa2   GAO Standards for Internal Control in the Federal Government; 3\n      \xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130; 4 and\n      \xe2\x80\xa2   RRB policies and procedures.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. Fieldwork was conducted at RRB headquarters in Chicago, Illinois\nfrom December 2007 through May 2008, and October 2008 through June 2009.\n\n\n\n\n3\n    Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (November 1999).\n4\n    Management of Federal Information Resources, OMB Circular A-130 (November 2000).\n\n                                                   4\n\x0c                                     RESULTS OF EVALUATION\n\nOur review of the financial management major application determined that the general\nand application controls over entity-wide security program planning and management,\ndata center access, non-emergency systems development, and service continuity/data\nrecovery and backup procedures are adequate. However, the general and application\ncontrols are not adequate to ensure:\n\n      \xe2\x80\xa2   proper segregation of duties,\n      \xe2\x80\xa2   least privilege access control,\n      \xe2\x80\xa2   contractor account management,\n      \xe2\x80\xa2   authorized emergency program changes, and\n      \xe2\x80\xa2   consistent password management and implementation.\n\nThe details of our findings and recommendations for corrective action follow. Agency\nmanagement has agreed to take the recommended corrective actions except for\nrecommendations five, nine, and ten. The full texts of management\'s responses are\nincluded in this report as Appendices III, IV, and V.\n\nSegregation of Duties for Accounts Receivable Transactions is Not Enforced\n\nSecurity settings within the PAR component application allow some employees the\nability to both enter and approve their own accounts receivable documents or table\nentries, and therefore, do not support proper segregation of duties.\n\nGAO Standards for Internal Control in the Federal Government requires key duties and\nresponsibilities to be divided or segregated among different people, including the\nresponsibilities for processing, recording, and authorizing transactions. It states, \xe2\x80\x9c[n]o\none individual should control all key aspects of a transaction or event.\xe2\x80\x9d\n\nOur review of security profiles for a statistical random sample of 49 individuals with PAR\naccess greater than read only, disclosed 24 who are able to both enter and approve\ntheir own transactions. 5 We were advised by BFO management that supervisory review\nis performed for some PAR transactions processed in the debt recovery unit, but other\ntransactions are processed without review. Likewise, in the Office of Programs\nMedicare unit, management advised that their users may or may not approve their own\ntransactions based on the type of transaction processed. The Office of Programs has\nimplemented other "no authorization" transactions throughout their processes and has\nperformed validation studies to assess continued accuracy; however, no validation\nstudy has been performed for the types of Medicare transactions that are currently\nself-processed.\n\nWhen management has implemented policy decisions that eliminate or forego certain\ncontrols without implementing a compensating control, the risk for fraud or abuse\nincreases and management cannot ensure their control objectives will be achieved.\n5\n    See Appendix I for details of our testing methodology.\n\n                                                       5\n\x0cRecommendations\n\nWe recommend that the Bureau of Fiscal Operations:\n\n   1.    implement a control to ensure supervisory review of transactions that are\n         self-processed.\n\nWe recommend that the Office of Programs:\n\n   2.    implement regular reviews of Medicare option cases for accuracy; and\n\n   3.    perform a validation study to assess the accuracy of other types of Medicare\n         self-processed transactions.\n\nManagement\'s Response\n\nThe Bureau of Fiscal Operations will implement a control to ensure supervisory review\nof transactions that are self-processed.\n\nThe Office of Programs has agreed to initiate quarterly reviews of Medicare option\ncases in FY 2010, and will complete a validation study and issue a report that will\ndetermine the need for any additional studies.\n\n\nAccess Control over Dataset Rules Needs to be Improved\n\nDataset rules governing FFS and PAR do not enforce least privilege.\n\nOMB Circular A-130 requires agencies to incorporate controls such as least privilege\ninto applications and application rules. Appendix III \xe2\x80\x9cSecurity of Federal Automated\nInformation Resources\xe2\x80\x9d defines least privilege as \xe2\x80\x9cthe practice of restricting a user\xe2\x80\x99s\naccess (to data files, to processing capability, or to peripherals) or type of access (read,\nwrite, execute, delete) to the minimum necessary to perform his or her job.\xe2\x80\x9d\n\nOur review of FFS and PAR dataset access rules disclosed three individuals with\naccess to FFS datasets and five individuals with access to PAR datasets who do not\nneed the access for their current positions. All of the FFS users and one of the PAR\nusers identified here have full control over the datasets (read, write, execute, and\nallocate), while the other four PAR users have read, write, and execute privileges. One\nuser with full control to both FFS and PAR datasets has not required that access since\nat least March 2005.\n\n\n\n\n                                             6\n\x0cWe observed that BIS does not routinely request reauthorization of dataset accesses.\nWe also found that a review of the FFS and PAR dataset privileges has not been\nperformed since we previously identified a problem with those dataset rules in 2002. 6\n\nExcessive rights and privileges to data and sensitive system programs weaken the\noverall information security program, and prevent management from ensuring that their\ninformation systems are protected from intentional or unintentional modification.\n\nRecommendations\n\nWe recommend that the Bureau of Fiscal Operations:\n\n    4.    perform a review of FFS and PAR datasets, and initiate actions to remove the\n          unnecessary access privileges.\n\nWe recommend that the Bureau of Information Services:\n\n    5.    ensure that dataset privilege reviews are performed by system owners on an\n          annual basis to enforce least privilege.\n\nManagement\'s Response\n\nThe Bureau of Fiscal Operations will perform a review of FFS and PAR datasets, and\ninitiate actions to remove the unnecessary access privileges.\n\nThe Bureau of Information Services disagrees with recommendation five because they\nbelieve that enforcement of the security principle of least privilege with regard to data\naccess is not a management function for BIS and that they provide dataset access\nbased upon documented requests issued by data owners.\n\nOIG\'s Comments on Management\'s Response\n\nIn our opinion, the RRB Security Handbook places this responsibility for enforcing least\nprivilege with BIS security personnel because their responsibilities include:\n\n    \xe2\x80\xa2    defining the access control strategy for RRB security management,\n    \xe2\x80\xa2    modifying component users or dataset profiles to control ACF2 privileges and\n         access to protected resources,\n    \xe2\x80\xa2    assessing systems security requirements of group-level datasets,\n    \xe2\x80\xa2    monitoring the component\'s datasets to ensure proper protection of sensitive data,\n    \xe2\x80\xa2    assisting users in their assessment of user-identification-level datasets, and\n    \xe2\x80\xa2    assisting users in determining proper level of protection. 7\n\n6\n  Review of Information Security at the Railroad Retirement Board, OIG Report No. 02-04, February 5,\n2002, Recommendation 9.\n7\n  RRB Information Systems Security Policy, Standards and Guidelines Handbook (RRB Security\nHandbook), Chapter 10.2.6, June 15, 2007.\n\n                                                   7\n\x0cAdditionally, the RRB has implemented a procedure for periodic reviews to reauthorize\nusers\' access rights to component applications which are initiated by BIS security\npersonnel, but no similar reviews exist for application datasets. This inconsistency in\nthe RRB\'s access control strategy creates unnecessary vulnerability to sensitive RRB\ndata.\n\n\nAccess Controls that Enforce Least Privilege Need Improvement\n\nMainframe access controls, including the reauthorization process, are ineffective in\nensuring least privilege for all systems.\n\nOMB Circular A-130 requires agencies to incorporate controls such as least privilege\ninto applications. The RRB has implemented an annual reauthorization review of\nmainframe system accesses to enforce least privilege.\n\nOur review of access privileges for a statistical random sample of 45 mainframe users\ndisclosed 4 users who had inappropriate access based on his or her job function. 8 We\nalso reviewed the reauthorization process for the mainframe systems which were\nidentified as inappropriate for those four users. Our reviews of the reauthorization\nprocess revealed problems in the following three areas:\n\n      \xe2\x80\xa2    Various system owners apply inconsistent methodologies in determining whether\n           a user should retain their current access privileges.\n      \xe2\x80\xa2    The reauthorization request for one system, EDMA, did not contain accurate\n           base-line information.\n      \xe2\x80\xa2    Reauthorization responses for two systems, FAST and RUCS, were not made or\n           fully made by BIS.\n\nInconsistent Methodology Used\n\nEach year BIS provides the RRB system owners with a reauthorization request to\nvalidate current access privileges, but the methodology used by those system users is\nnot consistent. The system owner reviews the access privileges shown on the\nreauthorization request and instructs BIS in their reauthorization response to leave the\naccess privilege alone, modify the access privilege to a new transaction level, or delete\nthe access privilege. When the owner-of-record was in the Office of Programs, inquiries\nwere routinely made of the individual user\xe2\x80\x99s supervisor to determine whether the current\naccess privileges were appropriate. However, when the owner-of-record was in BIS,\nsuch inquiries were not made and the owners attempted to determine access\nappropriateness themselves. Since users of RRB systems are dispersed throughout\nthe agency, it is unrealistic to assume that a system owner can know the specific job\nfunctions of every user.\n\n8\n    See Appendix II for details of our testing methodology.\n\n                                                       8\n\x0cInaccurate Base-Line Information Provided\n\nTransaction level access provided in the EDMA system involves multiple programmed\ncodes. Most job functions require various combinations of these programmed access\ncodes, and each combination is translated to a generally known level of access that is\neasily identified by the system owner. However, the actual transaction level access of\nthe user is the individual programmed codes and not the translated generally known\nlevel of access. When BIS prepares the reauthorization request for EDMA, the\ncombinations of programmed codes for each user are translated to the generally known\nlevel of access. Only the generally known level of access is provided to the system\nowner for review. Our sample included one user for which the translation of\nprogrammed codes by BIS was not accurate, and the wrong level of access was\nprovided to the system owner for reauthorization. We found that the individual\nprogrammed codes for this user did not equate to any generally known level of access.\nInstead, the individual programmed codes for this user included one additional code\nbeyond the combination of codes required for her appropriate level of access.\n\nReauthorization Responses Not Implemented\n\nReauthorization responses requesting access modifications were not always made for\ntwo systems, FAST and RUCS. Both of these systems have transaction level access\nprovided by separate security systems other than ACF2. In our expanded testing of the\nreauthorization process for the mainframe systems which were identified as\ninappropriate for our sample selection, one of the modification requests for FAST was\nnot made and five users who were marked as no longer requiring RUCS access\ncontinued to be included in the separate security system that controls RUCS transaction\nlevel access.\n\nOther Access Issues Noted for RUCS\n\nWe noted five RUCS users who had been assigned access levels that were\ninappropriate to their job function. These users were not identified during the\nreauthorization process as having inappropriate access because the system owner\ngenerally validates, through a user\'s supervisor, whether RUCS access is necessary\nand not what level of access is appropriate. As a result, all of these users were given\nmore access than they required. We also noted four users with access specified in the\nseparate security system, but not on the RUCS ACF2 access list. These users do not\nhave RUCS access, but the system owner believes access is necessary for these\nusers. Since these four users were not on the RUCS ACF2 access list, their\nsupervisors were not asked to validate whether or not RUCS access is necessary.\nAccess for these users is currently questionable and may include old, outdated\ninformation in the separate security system.\n\nIneffective reauthorization of an individual\xe2\x80\x99s rights and privileges prevents management\nfrom ensuring that their information systems are protected from intentional or\nunintentional modification, or inappropriate viewing of privacy-related information.\n\n                                            9\n\x0cOutdated security rules that clutter the security management systems weaken the\noverall information security structure and require additional, unnecessary, work efforts\nduring the reauthorization process as those rules must be repeatedly identified when\nrequests for removal are ignored.\n\nRecommendations\n\nWe recommend that the Office of Programs:\n\n   6.   review the questionable RUCS access identified in our review and ensure only\n        appropriate access is allowed;\n\n   7.   ensure the inappropriate ASTRO, FAST, and RUCS access identified by our\n        review, and the outdated information in the separate security system that\n        controls RUCS transaction level access, are removed; and\n\n   8.   validate with a user\'s supervisor the RUCS transaction level access maintained\n        in the separate security system when reauthorizations of RUCS access are\n        performed.\n\nWe recommend that the Bureau of Information Services:\n\n   9.   ensure the inappropriate PREH Correction and EDMA access identified in our\n        review is removed;\n\n   10. develop procedures to be used by all BIS system owners in conducting system\n       reauthorizations which includes validation of user access by the user\'s\n       supervisor; and\n\n   11. provide the EDMA system owner with a reauthorization request that lists the\n       users and their individual programmed access codes, rather than one that lists\n       the users and their generally known translated access levels.\n\nManagement\'s Response\n\nThe Office of Programs agrees with the recommendations and advises that they have\ntaken corrective action to implement recommendations six and seven. Additionally, the\nOffice of Programs has advised that a security access audit for RUCS and BASS is\nplanned for the first quarter of calendar year 2010, at which time recommendation eight\nwill be addressed.\n\nThe Bureau of Information Services agrees with recommendation 11 and advises that\nthe conversion of access control to RACF will eliminate the use of individual access\ncodes. However, they disagree with recommendations nine and ten because the\nidentified employees are considered to have appropriate PREH Correction and EDMA\naccess, and because position-level roles are adequate indicators for access\nrequirements and role-based access has been used.\n\n                                           10\n\x0cOIG\'s Comments on Management\'s Response\n\nOur finding was based on interviews with employees or their immediate supervisors to\ndetermine the appropriateness of the employee\'s access with relation to job function. In\nall cases, we were advised that the employee did not have any job functions that\nrequired the use of the application or the level of functionality they held for the\napplication. We stand by our conclusion that the access for 4 of 45 employees, as cited\nin Appendix II, is inappropriate.\n\nWith respect to role-based access strategies and the principle of least privilege, it is\nimportant to address how roles change over time. We do not disagree with the use of\nrole-based access strategies; however, supervisors need to be periodically interviewed\nto ascertain the continued appropriateness of the access privileges assigned each role.\nDuring our interviews, we were advised that employees in one unit no longer performed\nthe job duties for which they held access privileges, and had not performed those job\nduties for several years. Without a change in the procedure used by BIS when\nreauthorizing access privileges, least privilege access rights will never be achieved.\n\n\nField Service Access Profile Needs Updating\n\nThe Field Service access profile has not been consistently applied in accordance with\nmanagement\xe2\x80\x99s assertion, nor does it enforce least privilege.\n\nOMB Circular A-130 requires agencies to incorporate controls such as least privilege\ninto applications. The RRB designed a Field Service profile in 1992 to be used for\ngranting application access to all Field Service employees. This profile has been\nmodified throughout the years to allow for new systems and functions required by Field\nService employees; but it has not been reviewed by RRB management to ensure its\naccuracy.\n\nOur review of access privileges for a statistical random sample of 45 mainframe users\ndisclosed 3 Field Service employees with different access privileges compared to other\nField Service employees in our sample. 9, 10 This is in conflict with management\xe2\x80\x99s\nassertion (through use of an access profile) that all Field Service employees should\nhave the same access privileges, regardless of the job position they hold.\n\nSince we disagree with management\xe2\x80\x99s assertion that all Field Service positions require\nthe same access privileges, we reviewed the job descriptions for many of the full-time\nField Service staff and for the six temporary Field Service staff employed at the time of\n\n\n\n9\n  See Appendix II for details of our testing methodology.\n10\n   The difference in access granted to these three Field Service employees resulted in lesser privileges\nthan the other Field Service employees in our sample. Therefore, we did not consider the differences\nnoted as errors in our statistical sample evaluation.\n\n                                                    11\n\x0cour review. 11 We found that none of the six contractual agreements for temporary\nemployment listed job duties that would require the individual to have identical access to\nmost full-time RRB Field Service employees. We also found that one full-time Field\nService position did not reflect the job duties that required the Field Service access\nprofile.\n\nAccess profiles designed to allow the same rights and privileges to all individuals\nincrease the risk for inappropriate disclosure of privacy-related information and prevent\nmanagement from ensuring their information systems are protected from intentional or\nunintentional modification.\n\nRecommendation\n\nWe recommend that the Office of Programs:\n\n     12. review the Field Service access profile and restrict its use to only those\n         positions that require access to all system privileges contained in that profile.\n\nManagement\'s Response\n\nThe Office of Programs has agreed to review the access profiles for the different job\ntypes and their access levels to make sure they have appropriate read/update\ncapabilities.\n\n\nControls over ACF2 Special Privileges Can be Improved\n\nInternal control over ACF2 special privileges need improvement.\n\nOMB Circular A-130 requires agencies to incorporate controls such as least privilege\ninto applications. GAO\'s FISCAM guidance further states \xe2\x80\x9c[b]road or special access\nprivileges, such as those associated with operating system software that allow normal\ncontrols to be overridden, are only appropriate for a small number of users who perform\nsystem maintenance or manage emergency situations. Such special privileges may be\ngranted on a permanent or temporary basis. However, any such access should also be\napproved by a senior security manager, written justifications should be kept on file, and\nthe use of highly sensitive files or access privileges should be routinely reviewed by\nmanagement.\xe2\x80\x9d ACF2 special privileges provide the type of access described by GAO\'s\nFISCAM, above.\n\nOur review of the ACF2 special privileges disclosed the following internal control\ndeficiencies:\n\n\n11\n  The RRB Field Service employs temporary workers through separate contractual agreements with\nnon-Federal employment agencies when workloads require additional staffing. These temporary\nemployees generally perform clerical duties in individual Field Service offices, and are not RRB\nemployees.\n\n                                                 12\n\x0c     \xe2\x80\xa2   Segregation of duties and least privilege is not enforced. We identified ten\n         individuals, including one contractor, who have the ability to create, modify, or\n         delete user accounts and the ability to assign access privileges to those\n         accounts. The contractor also has the ability to read all data files, and to submit\n         jobs for mainframe processing.\n\n     \xe2\x80\xa2   Special privilege reviews and reauthorizations are performed by the system\n         administrator who also enters the privilege rights, rather than a senior security\n         manager. Such reviews have not always identified unnecessary IDs with special\n         privileges for timely deletion. During the course of our review we requested\n         additional information regarding one \xe2\x80\x9cstarted task\xe2\x80\x9d ID with a special privilege, and\n         were informed that the ID had never been used and should be removed from the\n         system. We noted that the ID had been active for about three years.\n\n     \xe2\x80\xa2   Documentation to support reauthorization reviews of special privileges is not\n         created or kept. We were advised that BIS only creates documentation for the\n         creation, modification, or deletion of special privilege rights granted outside the\n         reauthorization process. This procedure originated in response to problems we\n         previously identified with documentation to support the granting of special\n         privileges in 2002. 12\n\nThe risk of inappropriate access to data and sensitive system programs, as well as the\ndisruption of services is greater when high-level special privileges are not adequately\ncontrolled.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n     13. review all assigned special privileges, including started tasks; and ensure\n         proper segregation of duties and least privilege is maintained for all users with\n         special privileges; and\n\n     14. implement a fully documented reauthorization review process of all special\n         privileges by a senior security manager, at least annually. Such reviews should\n         consider the identification and timely removal of unnecessary IDs with special\n         privileges.\n\nManagement\'s Response\n\nThe Bureau of Information Services agrees with recommendations 13 and 14 and\nadvises that the special privileges, as designed within ACF2, will be reviewed as part of\nthe conversion to RACF and that the Chief Security Officer will implement a fully-\ndocumented annual reauthorization review process of all special privileges.\n\n12\n Review of Information Security at the Railroad Retirement Board, OIG Report No. 02-04, February 5,\n2002, Recommendation 9.\n\n                                                 13\n\x0cContractor Account Management Can be Improved\n\nThe controls to ensure timely deletion of inactive contractor user accounts are not fully\neffective.\n\nOMB Circular A-130 requires agencies to incorporate controls such as least privilege\ninto applications. This includes the deletion of accounts that are no longer required.\nThe RRB has implemented policies for the management of user accounts that include\npromptly deleting the account from the system when services are no longer provided,\nand identifying and reviewing accounts that have not been used in the past year.\n\nDuring our review of all mainframe and LAN user accounts to verify that each user was\na current employee or an authorized non-employee, we noted one user account for a\ncontractor whose LAN account had not been used in three months. 13 We also noted\nthat the contractor\xe2\x80\x99s LAN account did not allow for temporary usage because it was set\nto \xe2\x80\x9cnever expire.\xe2\x80\x9d\n\nDuring interviews, BIS advised us that the contractor was no longer performing services\nfor the RRB and that they had previously deleted the LAN account. BIS proceeded to\ndelete the mainframe account in our presence. Two months later, however, we\ndiscovered that the LAN account was still active and brought that information to BIS\xe2\x80\x99\nattention. BIS then deleted the LAN account. As a result, the LAN user account\ndeletion took place nearly two months after BIS had become aware that the contractor\nwas no longer working, and evidence suggests that the contractor may have ceased\nservices as much as five months prior to account deletion.\n\nWhen a contractor continues to have access to systems after they have ceased\nemployment, the risk of unauthorized access is increased, which weakens the overall\nsecurity program.\n\nRecommendation\n\nWe recommend that the Bureau of Information Services:\n\n      15. implement a policy to provide for earlier identification and review of inactive\n          contractor accounts by utilizing the LAN account expiration setting, and timing it\n          to coincide with individual contract expectations.\n\n\n\n\n13\n     The contractor was a computer programmer hired to assist in a systems development project.\n\n                                                    14\n\x0cManagement\'s Response\n\nThe Bureau of Information Services agrees with the recommendation and has advised\nthat all contractor accounts will be established using the LAN account expiration setting,\ntimed to coincide with individual contract expectations.\n\n\nEmergency Program Change Controls Can be Improved\n\nControls designed to ensure that emergency program changes are made in accordance\nwith proper supervision and authorization need improvement.\n\nGAO Standards for Internal Control in the Federal Government require the proper\nauthorization and execution of transactions and events by persons acting within the\nscope of their authority, as well as the segregation of those duties. GAO\'s FISCAM\nguidance further states that emergency program changes should be promptly tested\nand approved; and integrated into change control, retroactively, as soon as possible\nafter the emergency change is made.\n\nThe RRB has designed a control for managing emergency changes by promptly\nnotifying BIS management of the emergency program change, and providing for a\nmeans to document the supervisor\xe2\x80\x99s subsequent authorization by deleting the source\nprogram code. This deletion automatically writes the program code to a separate file for\naudit purposes. There is no written procedure or formal time standard for performing\nthis activity. We were also advised by BIS that a program developer could not delete\ntheir own program code; only a supervisor can delete the source program code.\n\nOur review of emergency program changes showed that the timeframes for supervisory\ndeletion of source program code varied, many of which were unduly delayed. Of 22\nemergency program changes that occurred in FY 2008, 11 showed evidence of\nsupervisory review and approval within 2 business days of the emergency change. 14\nHowever, the program code for the other 11 was deleted between 7 and 109 days after\nthe emergency change took place. We also noted that on one occasion, the emergency\nprogram change was made by a supervisory-level employee, and that person was able\nto delete his own program code.\n\nProcessing errors or unauthorized program modifications can be introduced into the\ninformation system when adequate supervision and approvals are not present or unduly\ndelayed.\n\n\n\n\n14\n     Of the 22 emergency program changes, 19 were for the same system and occurred prior to May 2008.\n\n                                                   15\n\x0cRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n     16. establish a formal, written, procedure for executing emergency program\n         changes. The procedure should specify a formal time standard for the review\n         and authorization of the emergency change; and\n\n     17. implement a control to prevent a single individual, including supervisory\n         personnel, from preparing an emergency program change and subsequently\n         deleting the program code themselves.\n\nManagement\'s Response\n\nThe Bureau of Information Services agrees with the recommendations and advises that\nthey will create a formal written procedure for executing emergency program changes\nwhich specifies a formal time standard for the review and authorization of emergency\nchanges. The procedure will also specify that the individual who prepares an\nemergency program change will not be permitted to delete his or her own program\ncode.\n\n\nPassword Rules Are Inconsistent and Do Not Enforce Written Policy\n\nThe RRB password rule settings are not consistently applied among agency platforms\nand do not enforce the written policy.\n\nNIST SP-800-53 requires agencies to manage information system authenticators.\nPasswords are used to identify and authenticate users. Identification distinguishes one\nuser from all others, and provides the means by which specific access privileges are\nassigned and recognized by the computer. The most widely used method of\nauthentication is with a password. As such, passwords must be controlled to reduce the\nrisk of unauthorized user access. Password rules are the means through which\npasswords are controlled, and include settings that stipulate character length and use,\nminimum and maximum age, password reuse, and account lockout when inaccurate\nauthentication attempts are made.\n\nNIST has also developed the Federal Desktop Core Configuration (FDCC) security\nconfigurations which include password rule settings for workstations. OMB has directed\nall agencies to implement the FDCC. The RRB has also established a written password\npolicy, and has implemented password rules using global settings in both the LAN and\nmainframe platforms, as well as for agency workstations. 15\n\n\n\n15\n  The global settings have been implemented through separate Group Policy Objects for the LAN servers\nand the FDCC regulated workstations, as well as through ACF2 Global Systems Options for the\nmainframe.\n\n                                                 16\n\x0cWe observed that the RRB\xe2\x80\x99s written password policy is out of date, and has not been\nadjusted to conform to the FDCC security configurations. Our reviews of the RRB\xe2\x80\x99s\npassword settings within the mainframe and LAN general support systems, including\nthose for agency workstations, showed that the various settings are inconsistent and do\nnot fully enforce the NIST FDCC security configurations. 16\n\nOur test of the effect of these inconsistencies showed that the FDCC password settings\nestablished in the FDCC Group Policy Object are not being applied. In the RRB\xe2\x80\x99s LAN\ngeneral support system, user authentication is a function performed at the server level\nand not locally on the user\xe2\x80\x99s workstation. Although the FDCC security configurations\napply to the workstations, and not the servers, the FDCC password settings must be\nimplemented at the server level in order for them to take effect. In addition, during our\nvalidation testing of major password rules, we observed that the RRB does not routinely\napply the LAN password setting to enforce single use of a temporary password when\nthe user is assigned a new password by the system administrators.\n\nWeak password rules increase the risk of unauthorized access to information systems.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n     18. update the written password policy in the Security Handbook and ensure its\n         conformance to the FDCC security configurations;\n\n     19. apply the FDCC password settings in the LAN server Group Policy Object; and\n\n     20. instruct the system administrators to begin using the temporary LAN password\n         setting.\n\nManagement\'s Response\n\nThe Bureau of Information Services agrees with the recommendations and advises that\nto the extent practicable, the written password policy in the RRB Security Handbook will\nbe updated in conformance with the FDCC security configuration. They will also apply\nthe FDCC password settings in the LAN server Group Policy Object, and will instruct\nCustomer Support Help Desk personnel to begin using the temporary LAN password\nsetting.\n\n\n\n\n16\n  The inconsistent settings are, in some instances, necessary due to software constraints. However, in\nother instances, the RRB has decided to deviate from the FDCC security configuration setting.\n\n                                                  17\n\x0c                                                                               Appendix I\n\n\n                          METHODOLOGY AND RESULTS\n               Effectiveness of Controls over Access Provided to PAR\n\n\nWe evaluated the access controls designed to ensure that individual user access to\nPAR is appropriate for their current job position.\n\nObjective\n\nThe objective of our test was to determine whether existing controls are effective to\nensure that the authorized individuals have appropriate access to the PAR system.\n\nScope\n\nWe selected our sample from the population of 84 PAR users with greater than\nread-only access as of December 10, 2008.\n\nReview Methodology\n\nWe used statistical attribute acceptance sampling using a 90% confidence and 6%\ntolerable error rate which directed a sample size of 49 users. The threshold for\nacceptance was one. If one or fewer errors were identified, the auditors may infer with\n90% confidence that control errors would not exceed 6%, and the controls were\noperating and effective.\n\nWe obtained and reviewed the individual access profiles for each user in our sample to\ndetermine if the accesses specified were appropriate to their job function. An error was\ndefined as:\n\n   \xe2\x80\xa2    A control that was not operating;\n   \xe2\x80\xa2    An operating control that could not be evidenced; or\n   \xe2\x80\xa2    An unacceptable outcome, such as inappropriate access, indicated that the\n        control was not effective.\n\nResults of Review\n\nOur evaluation of 49 randomly selected PAR users with greater than read-only access\nidentified 24 who are able to both enter and approve their own transactions. As a result,\nthe access control designed to enforce segregation of duties is not operating and it does\nnot restrict a user\xe2\x80\x99s actions based on their job function.\n\nConclusion\n\nThe 24 exceptions exceed the sample acceptance threshold. As a result, we cannot\nconclude that controls are effective to ensure that individual user access is appropriate\nand only allows access that is required for the performance of current job functions.\n\n\n                                            18\n\x0c                                                                               Appendix II\n\n\n                            METHODOLOGY AND RESULTS\n                Effectiveness of Controls over Access Provided by ACF2\n\n\nWe evaluated the access controls designed to ensure that individual user access is\nappropriate to their current job position.\n\nObjective\n\nThe objective of our test was to determine whether existing controls are effective in\nensuring that the authorized individuals have appropriate access to RRB information\nsystems through an ACF2 user ID.\n\nScope\n\nWe selected the sample from the population of 946 ACF2 mainframe users as of\nJanuary 30, 2008.\n\nReview Methodology\n\nWe used statistical attribute acceptance sampling using a 90% confidence and 5%\ntolerable error rate which directed a sample size of 45 users. The threshold for\nacceptance was zero. If no errors were identified, the auditors may infer with 90%\nconfidence that control errors would not exceed 5%, and the controls were operating\nand effective.\n\nWe obtained and reviewed the individual access profiles for each user in our sample to\ndetermine if the accesses specified were appropriate to their job function. An error was\ndefined as:\n\n   \xe2\x80\xa2    A control that was not operating;\n   \xe2\x80\xa2    An operating control that could not be evidenced; or\n   \xe2\x80\xa2    An unacceptable outcome, such as inappropriate access, indicated that the\n        control was not effective.\n\nResults of Review\n\nOur evaluation of 45 randomly selected mainframe users identified 4 users whose\naccess profile included privileges that were not required to perform their current job\nresponsibilities, as follows.\n\nUser No.                             Type of Errors Identified\n            \xe2\x80\xa2    Has access to PREH Correction without job duties dependent on that\n    1\n                 system.\n\n\n\n\n                                            19\n\x0c                                                                               Appendix II\n\n\nUser No.                                Type of Errors Identified\n             \xe2\x80\xa2   Has access to PREH Correction without job duties dependent on that\n                 system.\n    2        \xe2\x80\xa2   Reauthorization requested removal of RUCS access, but removal was\n                 only applied to the RUCS user list in ACF2 and not the RUCS user list in\n                 the separate security system.\n             \xe2\x80\xa2   Has access to PREH Correction without job duties dependent on that\n    3            system.\n             \xe2\x80\xa2   Has access to FAST without job duties dependent on that system.\n             \xe2\x80\xa2   Has access to ASTRO without job duties dependent on that system.\n             \xe2\x80\xa2   Has excessive access to EDMA without job duties for that function.\n    4\n             \xe2\x80\xa2   Reauthorization request for EDMA did not include accurate base-line\n                 information.\n\nConclusion\n\nThe four exceptions exceed the sample acceptance threshold. As a result, we cannot\nconclude that controls are effective to ensure that individual user access is appropriate\nand only allow access that is required for the performance of current job functions.\n\n\n\n\n                                             20\n\x0c                                                                   Appendix III\n                UNITED STATES GOVERNMENT\t                                          FORM G-l15f   [1-82]\n\n\n\n                 MEMORANDUM                                   RAILROAD RETIREMENT BOARD\n\n\n                                                              SEP 21 2009\nTO\t          Letty Benjamin Jay\n             Assistant Inspector General for Audit\n\n\nFROM\t        Kenneth P. Boehne    ~~~\n             Chief Financial Officer\n\n\nSUBJECT:\t Draft Report - Audit of the General and Application Controls in the\n          Financial Management Major Application System\n\n\n\nThank you for the opportunity to review and comment on the above draft report dated\nSeptember 11, 2009. Our comments are as follows:\n\nWe recommend that the Bureau of Fiscal Operations:\n\n      1.\t   implement a control to ensure supervisory review of transactions that\n            are self-processed.\n\n            We will implement a control to ensure supervisory review of transactions\n            that are self-processed. Target date: March 31,2010.\n\n      4.\t   perform a review of FFS and PAR datasets, and initiate actions to\n            remove the unnecessary access privileges.\n\n            We will perform a review of FFS and PAR datasets, and initiate actions to\n            remove the unnecessary access privileges. Target date: February 26,\n            2010.\n\n\ncc:\t John Walter, Chief of Accounting, Treasury and Financial Systems\n     Kristofer Garmager, Financial Systems Manager\n     Tom McCarthy, Debt Recovery Manager\n     Bill Flynn, Executive Assistant\n     Jill Roellig, Management Analyst\n\n\n\n\n                                          21\n\x0c                                                                               Appendix IV\n\n\n                                                                                          FORM G-115f (1\xc2\xb792)\n\n                                                                        RAILROAD   RETIREMENT      BOARD\n                      MEMORANDUM\n                                                                             SEP 232009\n\n\n\n\n                 Dorothy Isherwood\n                 Director of Programs\n\n\n\n                 Draft Report - Audit of the General and Application Controls in the\n                 Financial Management Major Application System\n\n\n\n\nOverall           We have reviewed the draft report and appreciate the fact that the review\ncomments          determined that the general and application controls over entity-wide security\n                  program planning and management, data center access, non-emergency\n                  systems development, and service continuity/data recovery and backup\n                  procedures are adequate.\n\n                  We concur with the recommendations      and will take action on those directed\n                  to the Office of Programs as follows.\n\n\nRecommendation    The OIG recommends that the Office of Programs:\n2\n\n\n\n\nOP Response       We agree. The Chief of Unemployment and Program Services Division will\n                  initiate quarterly reviews in FY 2010. We plan to close out this\n                  recommendation by May 31,2010 after the second review has been\n                  completed.\n\n\n\nRecommendation    The OIG recommends that the Office of Programs\n3\n                  Perform a validation study to assess the accuracy of other types of Medicare\n                  self-processed transactions.\n\n\n\n\n                                                   22\n\x0c                                                                                  Appendix IV\n\n\n\n\nOP Response\t     We concur. We will complete a validation study and issue a report by\n                 September 30, 2010. That report will determine the need for additional\n                 studies, if any.\n\n\nRecommendation\t The OIG recommends that the Office of Programs\n6\n                Review the questionable RUeS access identified in our review and ensure\n                only appropriate access is allowed.\n\n\n\nOP Response      We concur. In fact, we have already taken corrective action which we\n                 documented in an email to your office on Sept. 22, 2009.\n\n\nRecommendation   The OIG recommends that the Office of Programs\n7\n                 Ensure the inappropriate ASTRa, FAST, and RUeS access identified by our\n                 review, and the outdated information in the separate security system that\n                 controls RUeS transaction level access, are removed.\n\n\n\nOP Response      We concur. In fact, we have already taken corrective action which we\n                 documented in an email to your office on Sept. 22, 2009. .\n\n\nRecommendation   The OIG recommends that the Office of Programs\n8\n                 Validate with a user\'s supervisor the RUeS transaction level access\n                 maintained in the separate security system when reauthorizations of RUeS\n                 access are performed      .\n\n\n\nOP Response\t     We concur. The next security access audit for RUeS and BASS is planned\n                 for the first quarter of calendar year 2010. Our target date for closing out this\n                 audit recommendation is April 30, 2010.\n\n\nRecommendation\t The OIG recommends that the Office of Programs\n12\n                 Review the Field Service access profile and restrict its use to only those\n                 positions that require access to all system privileges contained in that\n                 profile.\n\n\n\n\n                                                   23\n\x0c                                                                                  Appendix IV\n\n\n\n\nOPResponse\t      We concur. Field Service and Policy and Systems will work together to\n                 review the access profiles for the different job types and their access levels\n                 to make sure they have appropriate read/update capabilities. This review will\n                 be completed by March 31,2009.\n\n\n\ncc:\t   Chief Information Officer\n       Chief Financial Officer\n       Director of Policy and Systems\n       Director of Operations\n       Director of Field Service\n\n\n\n\n                                                  24\n\x0c                                                                       Appendix V\n                                                                                   FORM G-1151 (1-92)\n                  ONI\'l\'ED STA\'I\'~;S GOVEHNM~;NT\n                                                                  RAILROAD RETIHEM~;N\'I\' BOARI>\n                 MEMORANDUM\n\n\n\n                                                              September 28, 2009\n\n\nTO\t           Letty B. Jay,\n              Assistant Inspector General for Audit\n\nFROM\t         Terri S. Morgan,          \'"" I. .lAY!,rtCt-\xc2\xad\n              Chief Information Officer ~       \'tI1/(; \'t!\nSUBJECT:\t Draft Report - Audit of General and Application Controls over the\n          Financial Management Major Application System\n\n\nThank you for the opportunity to review and respond to the subject draft report. The\nfollowing are the responses to the recommendations included in the report that were\naddressed to the Bureau of Information Services.\n\nRecommendation #5\nWe recommend that the Bureau of Information Services ensure that dataset privilege\nreviews are performed by system owners on an annual basis to enforce least privilege.\n\nResponse\nBIS disagrees with this recommendation. In general, we believe that enforcement of the\nsecurity principle of least privilege with regard to data access is not a management\nfunction for BIS. BIS provides dataset access based upon documented requests issued\nby data owners. BIS is not responsible for determining least privilege or defining the\nleast amount of privileges needed by users to perform their business functions.\nBusiness analysts in the owner bureaus/offices are granted the least privilege read\naccess to datasets relevant to the work of the bureau/office. Elevated access required\nto write to production data files generally is not allocated to individuals. System owners\ncan enforce least privilege by limiting dataset access privileges to the minimum number\nof employees needing access to data.\n\nRecommendation #9\nWe recommend that the Bureau of Information Services ensure the inappropriate PREH\nCorrection and EDMA access identified in our review is removed.\n\nResponse\nBIS disagrees with this recommendation. The identified employees are considered to\nhave appropriate PREH Correction and EDMA access. No further action is necessary.\n\n\n\n\n                                              25\n\x0c                                                                          Appendix V\n\n\n\nRecommendation #10\nWe recommend that the Bureau of Information Services develop ;procedures to be used\nby all BIS system owners in conducting system reauthorizations which includes\nvalidation of user access by the user\'s supervisor.\n\nResponse\nBIS disagrees with this recommendation. BIS rejects this recommendation on the basis\nthat role based access control (RBAC) is within NIST guidelines. The RRB has chosen\nthe position as the role for access, as this is the practical level of control for BIS\'\nstaffing. While more granular choices can be made, business and technical experts\nhave agreed in the past that position level roles are adequate indicators of access\nrequirements. The next scheduled reauthorization of the PREH and EDM application is\nscheduled to be conducted by Data Management Group in the 3rd calendar quarter of\n2010.\n\nRecommendation #11\nWe recommend that the Bureau of Information Services provide the EDMA system\nowner with a reauthorization request that lists the users and their individual\nprogrammed access codes, rather than one that lists the users and their generally\nknown translated access levels.\n\nResponse\nBIS agrees with this recommendation. As part of the conversion of access control to\nRACF, individual access codes are being eliminated. When conducting the\nreauthorization review of the EDMA system, Systems Assurance Group will provide the\nowner with a report of users and their access level descriptor. The next reauthorization\nreview for the EDMA system is scheduled for the 3rd calendar quarter 2010.\n\nRecommendation #13\nWe recommend that the Bureau of Information Services review all assigned special\nprivileges, including started tasks; and ensure proper segregation of duties and least\nprivilege is maintained for all users with special privileges.\n\nResponse\nBIS agrees with this recommendation. As part of the conversion to RACF, special\nprivileges as designed within ACF-2 are being reviewed by Infrastructure Services\nCenter. The conversion will be completed on or before December 1, 2009.\n\nRecommendation #14\nWe recommend that the Bureau of Information Services implement a fully documented\nreauthorization review process of all special privileges by a senior security manager, at\nleast annually. Such reviews should consider the identification and timely removal of\nunnecessary IDs with special privileges.\n\n\n\n\n                                            26\n\x0c                                                                           Appendix V\n\n\n\nResponse\nBIS agrees with this recommendation. The Chief Security Officer will implement a fully\ndocumented annual reauthorization review process of all special privileges. The first\nsuch annual review will be conducted in January 2010.\n\nRecommendation #15\nWe recommend that the Bureau of Information Services implement a policy to provide\nfor earlier identification and review of inactive contractor accounts by utilizing the LAN\naccount expiration setting, and timing it to coincide with individual contract expectations.\n\nResponse\nBIS agrees with this recommendation. Effective immediately, all contractor accounts\nwill be established using the LAN account expiration setting, timed to coincide with\nindividual contract expectations. Systems Assurance Group will require the form G-455,\nComputer Access Authorization Request, when used for temporary contractors, to be\nnotated with the expected account expiration date.\n\nRecommendation #16\nWe recommend that the Bureau of Information Services establish a formal, written,\nprocedure for executing emergency program changes. The procedure should specify a\nformal time standard for the review and authorization of the emergency change.\n\nResponse\nBIS agrees with this recommendation. Application Design Center will create a formal,\nwritten procedure for executing emergency program changes that specifies a formal\ntime standard for the review and authorization of the emergency change. This\nprocedure will be produced by April 1, 2010.\n\nRecommendation #17\nWe recommend that the Bureau of Information Services implement a control to prevent\na single individual, including supervisory personnel, from preparing an emergency\nprogram change and subsequently deleting the program code themselves.\n\nResponse\nBIS agrees with this recommendation. Application Design Center will specify in the\nemergency program change process that the individual who prepares an emergency\nprogram change will not be permitted to delete their own program code. This procedure\nwill be produced by April 1, 2010.\n\nRecommendation #18\nWe recommend that the Bureau of Information Services update the written password\npolicy in the Security Handbook and ensure its conformance to the FDCC security\nconfigurations.\n\n\n\n\n                                             27\n\x0c                                                                       Appendix V\n\n\n\nResponse\nBIS agrees with this recommendation. To the extent that is practicable, the Risk\nManagement Group will update the written password policy in the Security Handbook in\nconformance with the FOCC security configuration by January 1, 2010.\n\nRecommendation #19\nWe recommend that the Bureau of Information Services apply the FOCC password\nsettings in the LAN server Group Policy Object.\n\nResponse\nBIS agrees with this recommendation. Infrastructure Services Center will take action to\napply the FOCC password settings in the LAN server Group Policy Object. This will be\ncompleted by January 1, 2010.\n\nRecommendation #20\nWe recommend that the Bureau of Information Services instruct the system\nadministrators to begin using the temporary LAN password setting.\n\nResponse\nBIS agrees with this recommendation. The Customer Support Help Oesk personnel will\nbe provided with instructions to begin using the temporary LAN password setting by\nNovember 1, 2009.\n\n\n\n\n                                           28\n\x0c'